Your message dated Tue, 04 Jan 2022 14:48:52 +0000 with message-id <e1n4l7m-00044n...@fasolo.debian.org> and subject line Bug#1003113: fixed in python-django 2:3.2.11-1 has caused the Debian Bug report #1003113, regarding python-django: CVE-2021-45115, CVE-2021-45116 & CVE-2021-45452 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1003113: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003113 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-django Version: 1:1.10.7-2+deb9u14 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for python-django: * CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator [0] UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. * CVE-2021-45116: Potential information disclosure in dictsort template filter [1] Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. * CVE-2021-45452: Potential directory-traversal via Storage.save() [2] Storage.save() allowed directory-traversal if directly passed suitably crafted file names. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-45115 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45115 [1] https://security-tracker.debian.org/tracker/CVE-2021-45116 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45116 [2] https://security-tracker.debian.org/tracker/CVE-2021-45452 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45452 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- End Message ---
--- Begin Message ---Source: python-django Source-Version: 2:3.2.11-1 Done: Chris Lamb <la...@debian.org> We believe that the bug you reported is fixed in the latest version of python-django, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1003...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated python-django package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 04 Jan 2022 12:35:16 +0000 Source: python-django Built-For-Profiles: nocheck Architecture: source Version: 2:3.2.11-1 Distribution: unstable Urgency: high Maintainer: Debian Python Team <team+pyt...@tracker.debian.org> Changed-By: Chris Lamb <la...@debian.org> Closes: 1003113 Changes: python-django (2:3.2.11-1) unstable; urgency=high . * New upstream security release: . - CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator . UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. . In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator. . - CVE-2021-45116: Potential information disclosure in dictsort template filter . Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. . In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries. . - CVE-2021-45452: Potential directory-traversal via Storage.save() . Storage.save() allowed directory-traversal if directly passed suitably crafted file names. . See <https://www.djangoproject.com/weblog/2022/jan/04/security-releases/> for more information. (Closes: #1003113) Checksums-Sha1: 65976c9ce24d08d5a1e9e7d358281a430c512b56 2807 python-django_3.2.11-1.dsc 2a6c6ad3a7979f26e1ebf9489ec68eaa2bdef6cd 9821958 python-django_3.2.11.orig.tar.gz 39a6e2055bbed12bc9860f0114336e136340f4cf 34244 python-django_3.2.11-1.debian.tar.xz a93220b0fd4e61f093b0b46b865d19db3a5cce25 7979 python-django_3.2.11-1_amd64.buildinfo Checksums-Sha256: 4fc271234dfa156b49b4f7cac8f47388c3dd35c7ccb152c1a5453e7490cf530b 2807 python-django_3.2.11-1.dsc 69c94abe5d6b1b088bf475e09b7b74403f943e34da107e798465d2045da27e75 9821958 python-django_3.2.11.orig.tar.gz 0a54468ae6869cfbe15f4770818fcf1c0f59dce3299390707346a9148537a6f2 34244 python-django_3.2.11-1.debian.tar.xz c97509346848cdc8f4e148a7c7e4c34c4bef560940baa7b2c1347a61683e9846 7979 python-django_3.2.11-1_amd64.buildinfo Files: d21c95b006db9c0772c57d5c77a09c48 2807 python optional python-django_3.2.11-1.dsc 6c4a53d2ccb464bc3dd772c6f2f07df9 9821958 python optional python-django_3.2.11.orig.tar.gz 9c3515e7da562938b2fe2db3b6081f7f 34244 python optional python-django_3.2.11-1.debian.tar.xz 5b10b781ffb89bfa98734d6d1ac46b32 7979 python optional python-django_3.2.11-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmHUXHwACgkQHpU+J9Qx Hlg5qxAAiyxmddPPLEPv1aO/nUxRVA/7tEzC0SI1wLDTRPYiGUS21ktLNGXmPJgX B6ehFrsnvq3TFiwRRhgv4e8DeYaZlIS+vID0H8cJKLjlwp7jhnXpAwIhw3QrpX5n yhzK77LIbnCe6hZE4j5B3NEl4EcjdAKyHrb/cLSba9RQwKPPKdxG19gbG2cJ8i4p LZ6z5NpmyVHXReMsjSHJCidVbEI1jntiJcqwTPgW/tVcENXTh4zgVvijqHkv7wnj nNGIdI1uK/nPa3u6duBRS0hdLZmNAcWB5NTyDY+Y3Ew/MsRQCtA1cobThew7b1Dx 6V4aGWru5iJea66vrMGFYAayA/RlbyeN/OfGaTdb2LA8Uu/vbzhdisHWXefe/i7R XIz6n1XahUzt/6809uUgjoxviGJLHG/EjsXi21Pf04p+cLADLH1BmwUF/L5HEOSp e64aq159FGFIv5oElkvS1I8HKsjYMQ30+WX+k1tycvTu/uXM0fI9KszEvOI1Mzhs cFDUXKxFszroRlk5he7Oi3W1eEPVWaba4DCgV4RkfvOf9zmCOmz6xqVUFAiRHYFq 47hqiV9A41nedEpMpgFoL7E65nHniAn6/d5azfZeRhDnf88JY3NeN9ZPnn12lJAb jf+TqTwwFnTAgjdwndqeF3+GuxMBhymPYXCW3poGOJGgod2FPSc= =xGpu -----END PGP SIGNATURE-----
--- End Message ---
